1// SPDX-License-Identifier: GPL-2.0+
2/*
3 * Copyright 2018, Michael Ellerman, IBM Corp.
4 *
5 * Test that an out-of-bounds branch to counter behaves as expected.
6 */
7
8#include <setjmp.h>
9#include <stdio.h>
10#include <stdlib.h>
11#include <string.h>
12#include <sys/mman.h>
13#include <sys/types.h>
14#include <sys/wait.h>
15#include <ucontext.h>
16#include <unistd.h>
17
18#include "utils.h"
19
20
21#define BAD_NIP	0x788c545a18000000ull
22
23static struct pt_regs signal_regs;
24static jmp_buf setjmp_env;
25
26static void save_regs(ucontext_t *ctxt)
27{
28	struct pt_regs *regs = ctxt->uc_mcontext.regs;
29
30	memcpy(&signal_regs, regs, sizeof(signal_regs));
31}
32
33static void segv_handler(int signum, siginfo_t *info, void *ctxt_v)
34{
35	save_regs(ctxt_v);
36	longjmp(setjmp_env, 1);
37}
38
39static void usr2_handler(int signum, siginfo_t *info, void *ctxt_v)
40{
41	save_regs(ctxt_v);
42}
43
44static int ok(void)
45{
46	printf("Everything is OK in here.\n");
47	return 0;
48}
49
50#define REG_POISON	0x5a5a
51#define POISONED_REG(n)	((((unsigned long)REG_POISON) << 48) | ((n) << 32) | \
52			 (((unsigned long)REG_POISON) << 16) | (n))
53
54static inline void poison_regs(void)
55{
56	#define POISON_REG(n)	\
57	  "lis  " __stringify(n) "," __stringify(REG_POISON) ";" \
58	  "addi " __stringify(n) "," __stringify(n) "," __stringify(n) ";" \
59	  "sldi " __stringify(n) "," __stringify(n) ", 32 ;" \
60	  "oris " __stringify(n) "," __stringify(n) "," __stringify(REG_POISON) ";" \
61	  "addi " __stringify(n) "," __stringify(n) "," __stringify(n) ";"
62
63	asm (POISON_REG(15)
64	     POISON_REG(16)
65	     POISON_REG(17)
66	     POISON_REG(18)
67	     POISON_REG(19)
68	     POISON_REG(20)
69	     POISON_REG(21)
70	     POISON_REG(22)
71	     POISON_REG(23)
72	     POISON_REG(24)
73	     POISON_REG(25)
74	     POISON_REG(26)
75	     POISON_REG(27)
76	     POISON_REG(28)
77	     POISON_REG(29)
78	     : // inputs
79	     : // outputs
80	     : "15", "16", "17", "18", "19", "20", "21", "22", "23", "24", "25",
81	       "26", "27", "28", "29"
82	);
83	#undef POISON_REG
84}
85
86static int check_regs(void)
87{
88	unsigned long i;
89
90	for (i = 15; i <= 29; i++)
91		FAIL_IF(signal_regs.gpr[i] != POISONED_REG(i));
92
93	printf("Regs OK\n");
94	return 0;
95}
96
97static void dump_regs(void)
98{
99	for (int i = 0; i < 32; i += 4) {
100		printf("r%02d 0x%016lx  r%02d 0x%016lx  " \
101		       "r%02d 0x%016lx  r%02d 0x%016lx\n",
102		       i, signal_regs.gpr[i],
103		       i+1, signal_regs.gpr[i+1],
104		       i+2, signal_regs.gpr[i+2],
105		       i+3, signal_regs.gpr[i+3]);
106	}
107}
108
109#ifdef _CALL_AIXDESC
110struct opd {
111	unsigned long ip;
112	unsigned long toc;
113	unsigned long env;
114};
115static struct opd bad_opd = {
116	.ip = BAD_NIP,
117};
118#define BAD_FUNC (&bad_opd)
119#else
120#define BAD_FUNC BAD_NIP
121#endif
122
123int test_wild_bctr(void)
124{
125	int (*func_ptr)(void);
126	struct sigaction segv = {
127		.sa_sigaction = segv_handler,
128		.sa_flags = SA_SIGINFO
129	};
130	struct sigaction usr2 = {
131		.sa_sigaction = usr2_handler,
132		.sa_flags = SA_SIGINFO
133	};
134
135	FAIL_IF(sigaction(SIGSEGV, &segv, NULL));
136	FAIL_IF(sigaction(SIGUSR2, &usr2, NULL));
137
138	bzero(&signal_regs, sizeof(signal_regs));
139
140	if (setjmp(setjmp_env) == 0) {
141		func_ptr = ok;
142		func_ptr();
143
144		kill(getpid(), SIGUSR2);
145		printf("Regs before:\n");
146		dump_regs();
147		bzero(&signal_regs, sizeof(signal_regs));
148
149		poison_regs();
150
151		func_ptr = (int (*)(void))BAD_FUNC;
152		func_ptr();
153
154		FAIL_IF(1); /* we didn't segv? */
155	}
156
157	FAIL_IF(signal_regs.nip != BAD_NIP);
158
159	printf("All good - took SEGV as expected branching to 0x%llx\n", BAD_NIP);
160
161	dump_regs();
162	FAIL_IF(check_regs());
163
164	return 0;
165}
166
167int main(void)
168{
169	return test_harness(test_wild_bctr, "wild_bctr");
170}
171